[F11, SELinux] What is mls?
Stephen Smalley
sds at tycho.nsa.gov
Tue Jul 7 12:58:14 UTC 2009
On Tue, 2009-07-07 at 13:48 +0100, Marko Vojinovic wrote:
> Hello folks!
>
> On this freshly installed F11 machine (from the KDE Live CD) I often
> get selinux alerts similar to the one below. It's not just openvpn,
> but also mv (dhcpc_t) and ifconfig (ifconfig_t). I don't feel anything
> to be non-functional (aside from openvpn, but that's a different
> problem), but these alerts are confusing to me. I did a yum list
> selinux* and it replied with:
>
> Installed Packages
> selinux-policy.noarch
> selinux-policy-targeted.noarch
> Available Packages
> selinux-doc.noarch
> selinux-policy-doc.noarch
> selinux-policy-minimum.noarch
> selinux-policy-mls.noarch
>
> Here I can see that selinux-policy-mls is not installed, while all the
> alerts are related to mls. yum info selinux-policy-mls gives the
> description "SELinux Reference policy mls base module" which is not
> very informative (for me).
>
> So, five questions:
> 1) what is mls?
> 2) is installing selinux-policy-mls going to help with these alerts?
> 3) if yes, why wasn't it installed automatically?
> 4) is any of this actually related to the alerts I get?
> 5) are the alerts important, or is it safe to ignore them?
You can ignore, and I think they are silenced by a policy update.
A libselinux constructor probes for /selinux/mls to initialize internal
state used later by the library functions, and unfortunately all of the
net-tools are getting linked against libselinux now just because of
netstat -Z support. No, you don't need selinux-policy-mls.
There is a patch pending for libselinux that will make such probing
happen lazily and thus avoid such denials.
--
Stephen Smalley
National Security Agency
More information about the fedora-list
mailing list